New Security Vulnerability in CS2

A new vulnerability has been discovered in CS2 allowing players to inject HTML and JS code into their Steam names and consquently into the game itself. This is the result of an input field for the steam name being left unsanitized during one of the many updates steam receives regularly.

Sanitizing an input is the process of applying some set of rules to the input that either remove parts of the input text, or adds special characters like the escape characted "" to the string in order to ensure no unwanted inputs like code segments can make their way into the program and cause vulnerabilities.

With such checks apparently missing from the code, some users were able to simply input an HTML code segment like "<img src='[image link]'" to force the game to treat the name as a portion of code. This exploit is most apparent when in the player kick vote screen as such a steam name would cause the image to be rendered in the vote window itself.

With the prevelance of IP Logging tools, and the lack of obfuscation between client and server IPs, the exploit can also allow malicious actors to gain access to the IP addresses of players. While this was initially incorrectly identified as a XSS (Cross-Site-Scripting) vulnerability, which would potentially allow access to the affected player's Steam, the reality is that it is infact a much more minor problem.

Nevertheless players should practice caution and refrain from playing the game on public servers till the exploit is fixed. Especially for higher level players who could have their professional matches disrupted by target DDOS attacks to their IP addresses. Given the severity of the issue, valve is expected to issue an update at the earliest.